On Fri, Sep 21, 2018 at 09:02:26AM +0530, Subhadip Ghosh wrote: > Hi Roberto, > > On Friday 21 September 2018 08:51 AM, Roberto C. Sánchez wrote: > > On Fri, Sep 21, 2018 at 08:34:50AM +0530, Subhadip Ghosh wrote: > > > Hi, > > > > > > I am using Debian and the recently I learned that a standard Debian > > > installation allows all 3 types of traffics especially incoming by > > > default. > > What do you mean by "all 3 types of traffics"? > Incoming, Outgoing and Forward
I see. Blocking incoming and forwarded traffic would probably not be surprising to many people. However, blocking outgoint traffic would be exceedingly confusing to many people. > > > I know I can easily use iptables to tighten the rules but I wanted to know > > > the reasons behind the choice of this default behaviour and if it makes > > > the > > > system more vulnerable? > > The behavior you observe is likely because that is the best default that is > > universally applicable. > But does it make the system more vulnerable in any way to attacks over the > network? And how will a new Debian user would know of this behaviour? I > don't even see it mentioned on the Stretch Installation manual anywhere. I see. Perhaps the Debian Administrator's Handbook, Chapter 14 is what you are looking for: https://www.debian.org/doc/manuals/debian-handbook/security.en.html While there is possibly an argument that not configuring a firewall by default introduces some vulnerability, it is equally valid to argue that there are no sensible default firewall policies that can be put into place without a defined threat model. I suspect that the vast majority of people deploying systems are doing so behind some sort of device that provides border security to the local network (e.g., router/firewall/NAT/etc.). So, if the default threat model is "a relatively trusted network with adequate border security" then the current default is appropriate. Those who deploy systems directly to a location where they are in immediate contact with the public Internet should already understand the ramifications of that decision and tailor their installation process accordingly. Regards, -Roberto -- Roberto C. Sánchez